users@glassfish.java.net

Re: Multiple web-apps, Domains

From: <glassfish_at_javadesktop.org>
Date: Thu, 04 Jun 2009 21:39:11 PDT

Hi,

thanks for your answer.

I did not say, that GlassFish has a security vulnerability. I meant, that for security issues we do not want to have the application produced cookies and make session tracking with them.

This is to the browser has a security vulnerability (missing updates, what we can not check on the user's side) and someone steals the cookie and conducts a session highjacking.

The problem is:

A wep-app is deployed and associated to a particular virtual host, and in sun-web.xml are the following values:

 <property name="enableCookies" value="false"/>
 <property name="enableURLRewriting" value="true"/>

GlassFish V2.1 tells you on startup, that urlRewriting is not yet implemented.

Even if enable Cookies is set to false, the URL won't be appended as long you really switch off using cookies in the browser. We would like to ensure, that the jsessionid is ALWAYS appended to the url.

It should be possible anyway, to start a deployed web-app from its deployment directory: $GF-ROOT/applications/j2ee-modules/myapp

if you enter this to the docroot, it is not considered in GF V2.1 and V3

The context root obviously points always to $GF-ROOT/docroot/$context-root, not to the directory where the app is deployed to.

Regards,
Dave
[Message sent by forum member 'seagate' (seagate)]

http://forums.java.net/jive/thread.jspa?messageID=349235